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Abstract — An encryption scheme is said to be entropically secure 
if an adversary whose min-entropy on the message is upper 
bounded cannot guess any function of the message. Similarly, 
an encryption scheme is entropically indistinguishable if the 
encrypted version of a message whose min-entropy is high 
enough is statistically indistinguishable from a fixed distribution. 
We present full generalizations of these two concepts to the 
encryption of quantum states in which the quantum conditional 
min-entropy, as introduced by Renner, is used to bound the 
adversary's prior information on the message. A proof of the 
equivalence between quantum entropic security and quantum 
entropic indistinguishability is presented. We also provide proofs 
of security for two different ciphers in this model and a proof 
for a lower bound on the key length required by any such 
cipher. These ciphers generalize existing schemes for approximate 
quantum encryption to the entropic security model. 

Index Terms — quantum information, cryptography, entropic se- 
curity 



I. Introduction 

SEMANTIC security, whether it is computational, as intro- 
duced in [1], information theoretic in a classical setting, 
as introduced in [2] and [3], or information theoretic in 
a limited quantum setting, as introduced in [4], contrasts 
the capabilities of two adversaries: one (A) that has access 
to an encrypted version of the message, and another (A') 
that does not. Their abilities to predict a function on the 
initial message are compared. Of course A' seems to be at a 
tremendous disadvantage: it has access to nothing but the prior 
distribution of the plain text, whereas A also has access to an 
encrypted version of the plain text and could potentially use 
imperfections in the encryption scheme to gain an advantage. 
However, this can become a way to bound these imperfections: 
an encryption scheme is considered semantically secure if, 
for every adversary A, there exists an A' that can predict 
every function on the plaintext almost as well as A without 
even having access to the encrypted message. This is a very 
strong security criterion, especially in the information theoretic 
setting. 

Perhaps surprisingly, it is possible to construct semantically 
secure encryption schemes which, depending on their setting, 
make very few assumptions on A and yet do not require keys 
to be as long as the message. In the computational setting, 
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Goldwasser and Micali [1] had as a constraint that both A 
and A' were probabilistic polynomial-time machines. In their 
model, they could construct encryption schemes which, on all 
message distributions, would render A as useless as A'. In 
the information theoretic setting, introduced by Russell and 
Wang [2] and expanded upon by Dodis and Smith [3], no 
computational limitation is imposed on A or A'. In order to 
achieve significant key size reduction, a limit on the prior 
knowledge of A on the plain text space is assumed. In fact, 
a lower bound on the min-entropy of the message space is 
assumed: the most probable message is not too probable. 
For this reason, this concept is called entropic security in 
the context of information-theoretic security. In the quantum 
information theoretic setting, as introduced by Desrosiers [4], 
the exact same restriction on the min-entropy is imposed on A, 
except that this time messages are quantum states which are 
further assumed to be unentangled with any quantum system 
that the adversary might possess. If these two restrictions 
are satisfied, one can construct encryption schemes for the 
quantum setting which have exactly the same key size as in the 
classical setting: for an n-qubit message which is assumed to 
have a min-entropy of at least t, then we need n — t + \og{l/e) 
bits of key to encrypt it securely (where e is a security 
parameter). 

In this paper we remove one of those two restrictions. Of 
course, the limit on the min-entropy of the adversary on 
the message space is hard to remove: it is the essence of 
entropic security. However, it has to be modified in order to get 
robust definitions of security in the presence of entanglement 
between the sender and the adversary. The notion of quantum 
conditional min-entropy as introduced by Renner in [5] will 
be used to bound the prior "knowledge" of the adversary. 
This new notion of min-entropy allows us to remove the no- 
entanglement restriction and replace it by something more 
general. Indeed, if a state is not entangled, we have an 
implicit lower bound of zero on the conditional min-entropy, 
whereas in the general case, the conditional min-entropy of 
the adversary on an n-qubit system held by the sender ranges 
between —n and n. It turns out that the key size remains the 
same in this model: for an ri-qubit message about which the 
eavesdropper has a min-entropy of at least t, we still need 
a key of n — t + log(l/£) bits. In the extreme case where 
we have no bound at all on the min-entropy, this reduces to 
2?i + log(l/e), which is in total agreement with the standard 
result of Ambainis, Mosca, Tapp and de Wolf [6]. 

Note that this generalizes the existing literature on approx- 
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imate quantum encryption. In [7], Hay den, Leung, Shor 
and Winter considered the task of approximately encrypting 
quantum states assuming that the adversary is not entangled 
with the sender. They showed, using a randomized argument, 
that, while we need 2n bits of key to perfectly encrypt an 
n-qubit quantum message, there exists a scheme requiring 
n + logn + 21og(l/e) + 0(l) bits of key. Ambainis and Smith 
[8] then gave two explicit constructions of an approximate 
quantum encryption scheme under the same assumption re- 
quiring n + 21ogn + 21og(l/e) and n + 21og(l/e) bits of key 
respectively. Here we recover and generalize these results. 

More recently, Fehr and Schaffner [9] gave a classical encryp- 
tion scheme which is entropically secure against an adversary 
that has access to quantum information about the classical 
message. Our work also generalizes this result: when our 
encryption schemes are applied to a classical message, the 
resulting ciphertext remains classical, and the proof of security 
still works against quantum adversaries. 

We introduce our model and definitions in section III and show 
in section IV that the two security definitions we give are 
equivalent. We also prove, in section V, that two encryption 
schemes introduced by Ambainis and Smith [8] and by Dodis 
and Smith [3] (and generalized to the quantum world by 
Desrosiers [4]) are still secure using this new definition and 
require the same amount of key as in the limited quantum 
model of [4]. Finally, in section VI, we generalize a proof of 
Dodis and Smith to show that an entropic scheme that can 
encrypt any 7i-qubit state having a conditional min-entropy of 
at least t requires at least n — t — 1 bits of uniform key. 

II. Notation and preliminaries 

A quantum state p is defined as a positive semidefinite operator 
of trace equal to 1 over some Hilbert space H . By the spectral 
decomposition theorem, p — X); 7ikj)(''j|' where the jr^) 
form a basis for the space in which the quantum state lives and 
the 7i are non-negative real numbers that sum up to one. This 
can be interpreted this way: if p is measured in the basis { 1?'^) }, 
then it behaves as a source that will output with probability 
7,; the state \rj)} 

The partial trace can be seen as a kind of inverse to the 
tensor product operation. For any bipartite state p^^, we have 
that p^ = TiA (jO"^^); the normal interpretation for such an 
operator is that if a physical state p-^^ lives in the space AB 
but one only has access to the system B to measure the state, 
then the statistics obtained are in agreement with p^ . The 
partial trace can be defined as: 

i 

where the vectors {l^i)} form any orthonormal basis for the 
subspace A. In fact, this is equivalent to doing a complete 
measurement of the A subsystem followed by a loss of the 

'For a thorough introduction to quantum information theory, see [10] 



result and of the A subsystem; what is left in our hands is 

Throughout this paper, we will use superscripts for density 
matrices to indicate on which subsystems they are defined; 
for example, p^^ is a density operator on the Hilbert space 
Ha (X) Hb- By convention, when we omit certain subsystems 
from the superscript, we mean that we take the partial trace 
over the subsystems that are absent; i.e. p^ = TyaP"^^- We 
will refer to the dimension of the Hilbert space Ha by d-A- 

We will use as our main distance measure the trace distance 
which is defined as 

\\p-<7\\,^Tr{\p-a\), (2) 

where \A\ is defined as V A^A, which is simply 
Y^i \o:i\ \ai){ai\ for a Hermitian operator A X^i Q^^|a^)(a^l■ 
As [11] and chapter 9 in [10] tell us, for any two states p 
and (T there exists an optimal adversary which can distinguish 
between them with probability ^ + — (t||i; no adversary 
can do better. 

Another useful distance measure is known as the fidelity: given 
two density operators p and a, their fidelity F{p, a) is defined 
as IIy^v^IIi- If ct is a pure state this is equal to 

We will also frequently make use of operator inequalities: 
given two Hermitian operators A and B, we will say that 
A^ B iff A — B is positive semidefinite. 

Also, we denote by a\\b the concatenation of the bit strings 
a and b. X"^, where a = ai • • • a„ is an n-bit string, means 
X"" = X""^ (g) X""-^ (g) ■ ■ ■ (g) X"". We shall also write C{H) for 
the space of linear operators on the Hilbert space H. Finally, 
we denote by a 5 the inner product modulo 2 of the strings 
a and 6: aibi mod 2. 

III. Model and definitions 

Entropic security as introduced by Russell and Wang [2] and 
generalized by Dodis and Smith [3] uses the definition of 
classical min-entropy to represent the adversary's knowledge 
on the sender's message space. Let M be a random variable 
over the message space M and let M take value m with 
probability pm- Then the min-entropy of M, written Hao{M) 
is defined to be — logmaxm(pm). 

Desrosiers introduced in [4] a quantum version of these 
security definitions for the case where the eavesdropper and the 
sender are neither entangled nor correlated. In this setting, a 
message ai is chosen at random with probability pi in a valid 
interpretation {(pi,(Ti)} of a state p"^ = "^iPiCTi- Here the 
adversary's a priori uncertainty is quantified by the quantum 
min-entropy, Hoo{p^) ~ — logmaxj7j where 
is the spectral decomposition of p^. The joint system of 
the sender and the adversary was considered to contain no 
correlations: i.e. p^^ = cr^ g) , where E represents the 
eavesdropper's system. 
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In this paper, we shall show that we can fully generalize 
these security definitions to the quantum setting, where no 
assumption on the entanglement between the sender and the 
adversary is made. The only restriction on the adversary 
will be quantified by the following definition introduced by 
Renner (see [5]) in his proof that the BB84 scheme, the 
original quantum key distribution protocol, is secure in the 
most general setting. We shall make no other assumption 
on the sender-eavesdropper system than the eavesdropper's 
conditional min-entropy. 

Definition 1 (Quantum conditional min-entropy). For any 

quantum state p^^ shared between the eavesdropper and the 
sender, we define the conditional min-entropy of A given E 
as 

Hoo{A\E)p = - logminmin {A : AI^ ® ^ p^^] 
where ranges over all normalized density operators over 

According to [12], we can express the quantum conditional 
min-entropy as 

where the maximization is taken over all CPTP maps £ : 
C{He) C{Ha') and where Ha' = Ha- 

One can prove a few properties about conditional min-entropy 
which will be handy later on. First, this lemma: 

Lemma 1. Let the joint state of the sender and the adversary 
be p^^ =p^(^ p^, then H^{A\E)p = H^{A)p. 

Proof: 

2-H^{A\E), ^ ininmin |A : AI^ ® ^ / ® p^j 

> min{A : AI^ ^ p"^} 

= min {A : AI^ ® p'^ ^ p^ ® p^} 

> min min {A : AI^ ® p^ ® p^] . 

Since the first and last lines are the same, the two in- 
equalities are, in fact, equalities, and hence 2~^=°("^l^^f = 
min{A : AI^ ^ p^} = 2--f^~(^)''. ■ 

We can conclude from this lemma that if the sender and the 
adversary are not correlated, then the earlier results of [4] can 
be used. 

Furthermore, Konig, Renner and Schaffner [12] show that for 
a state of the form p"^^ = Y.iVi\i){i\^ ® pf (i-e- A holds 
classical information and E holds a quantum state containing 
partial information on A), the quantum conditional min- 
entropy Hrx,{A\E)p characterizes Eve's optimal probability of 
guessing A by measuring E: 



Note also that if the A and E systems are in a maximally 
entangled state Yl'i=i ^1*)"^!*)^' where n = logd, then 

H^{A\E)p = -n. (3) 

Hence, the quantum conditional min-entropy ranges from —n 
to n for an 72-qubits system and, as is the case with the 
von Neumann conditional entropy, negative values arise from 
purely quantum effects. 

In our model, we will consider a protocol to be secure if 
the adversary is incapable of obtaining classical information 
about the message encoded in any basis. We will therefore 
model the adversary as a POVM on the encrypted message 
together with the adversary's side information. Since entropic 
security, even in the classical case (see [3]), does not have 
good composability properties (i.e. the security of the scheme 
does not necessarily imply that it can be securely embedded 
in a larger cryptographic protocol), we will not consider 
adversaries that keep quantum information without measuring 
it in the hopes of mounting a more effective attack later after 
having received more information. We are interested in the 
predictive capabilities of an adversary that was given E{p.i) — 
see below for the formal definition of a cipher £ — compared 
to those of an adversary that was not given such a state in 
predicting a function of i. Since our adversary is a POVM, 
we take its output to be a prediction of the function /. We 
shall denote the random variable that is the output of A on 
any given state 7 by A(7); that is, if {Aijig/ is the set of 
POVM elements associated with A, then A(7) is a random 
variable which takes the value i with probability Tr[^i7]. 

An encryption scheme f is a set of superoperators {Ek\ 
indexed by a uniformly distributed key fc G {!,..., K\ such 
that for each k there exists an inverting operator Vu such that 
for all p^^ , with probability one we have 

{Vk®\){i£k®\){p))=P- (4) 

The view of the adversary is then (£ ® = 
^Yl!k=\K^'^^®^^P^^^■ To simplify the notation, we will write 
E{p^^) instead of (£ ® T){p^^) from now on. Note that in 
general, £ maps systems on space AE to systems on space 
NE\ the dimension of A! could be larger than the dimension 
of A. 

Both [3] and [4] presented security definitions equivalent in 
their respective models to the following two security defini- 
tions. 

Note that throughout this paper, we shall be mostly concerned 
with encryption schemes where the message to be sent consists 
of n qubits; therefore n ~ log dA from now on. 

Definition 2 (Entropic Security). An encryption system £ 
is {t,e)-entropically secure if for all states p"^^ such that 
Hoo{p^^\p^) ^ t, all interpretations {{pi,crf^)}, all ad- 
versaries A and all functions f, there exists an A' such that 
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we have: ^ 



|Pr[A(f(a,^^)) = /(z)]-Pr[A'(af) = 



fm\^e. (5) 



Note that everywhere, we take probabiUties over all i and all 
randomness used by the adversaries and the cipher 

Definition 3 (Entropic Indistinguishability). An encryption 
system £ is {t, e)-indistinguishable if there exists a state 
such that for all states p"^^ such that H^{A\E)p ^ t we have 
that: 



AE\ 



A' 



< e. 



(6) 



IV. Equivalence between the two security 

DEFINITIONS 

This section will show that an encryption scheme which is 
entropically secure is entropically indistinguishable, and vice- 
versa, up to small variations in the t and e parameters. Before 
presenting these proofs, however, we will need an additional 
definition and a technical lemma. The following variation on 
entropic security will prove to be useful in the sequel: 

Definition 4 (Strong entropic security). An encryption system 
£ is strongly {t,e)-entropically secure if for all states p^^ 
such that Hoo{p^^\p^) ^ t, all interpretations {(p^, cr/^^)}, 
all adversaries A, and all functions f, we have 



|Pr[A(£•(ar))=/(^)]-Pr[A(£(p^)®^f)=/(^)]|^e. (7) 

Note that in this case both uses of £ are independent. Strong 
{t, e)-entropic security clearly implies regular (t, e)-entropic 
security, since A used on af and an encrypted message 
independent of af (which can be prepared by Eve in her lab) 
is a valid choice for A'. 

The following lemma says that one does not need to consider 
all possible functions, but one can restrict the analysis to 
predicates: 

Lenuna 2. Let p^^ be a state, {{pi^af^)} be an interpre- 
tation, £ be a cipher, f be a function and A be an adversary 
such that 

|Pr[A(£(af^))=/(*)] -Pr[A(£(/) ® af )=/(*)] I >e. 
then there exist an adversary B and a predicate h such that 
|Pr[B(£-(af ^))=/.(z)]-Pr[B(£(p^) ® af )^h{i)] | > |. 

Proof: Let our predicate be a Goldreich-Levin predicate 
[13], that is hr{x) = rQfix). Letp = Pr[A(f (ctJ^^)) = f{i)] 
and q = Pr[A(£:(p^) (g) erf) = f{i)]. Then we know that 
|p — g| > e. Let us compute 



E 



L,[Pr[r0 A(£(aO) ^K^i)] 

-PT[r Q A{£{p^) ® af ) = Kii)] 



^One can also get an equivalent definition by using functions on the states 
cr;'*^ rather than on the indices i. 



where the expectation is taken over all r of adequate size. We 
need two observations. First, when A predicts correctly, then 
p = Pr[r A{£{af^)) = hr{i)]. Second, when A does not 
predict correctly, the probability that r A{£{<Ti)) = hr{i) is 
exactly one half. Hence Equation (8) reduces to 

1 , . / 1 



E 



1-p- 



p-q 



{l-p)-[l.q+ .{l-q) 



(9) 



> 



Thus there exists at least one value r such that the following 
is true: 

AE\ 



\PT[rQAi£iar))^Ki^)] 

-Pr[rQA{£ip^)^af)^hri^)]\>^. 

The lemma is proven if adversary B(-) is defined, using this 
appropriate r, as r A(-). ■ 

Theorem 1. (t — 1, e/2)-entropic indistinguishability implies 
strong {t,e)- entropic security for all functions. 

Proof: We shall prove the contrapositive. Suppose there 
exists an adversary B, a state p"^^ such that Hoa{A\E)p ^ t, 
an interpretation {(pj,(T^^)} for p"^^ and a function / such 
that 

|Pr[B(£K^^))=/W]-Pr[B(£(/)0af)=/W]|>£. 

(10) 

Then we know from Lemma 2 that there exists another 
adversary and a predicate h such that strong (t, e/2) -entropic 
security is violated. Let's call this adversary A and let us define 
the sets E^ and Ei as follows: 



Eo 
El 

Define the following: 

ri = 



{z\h{i) 



0} 
!}■ 



(11) 
(12) 




Note that p 
states: 



AE 



roT^^ + riTi^. Now, define the following 



fAE 
I n 



~AE 



AE 



np 



= nrf^ +rop^ (E)T^, 

AE] 



(13) 
(14) 



(8) where, as usual, rf = Tr^[T/^^]. We need the following 
lemma to finish the proof. 

Lemma 3. Assuming Hoo{A\E)p ^ t, we then have that both 
Hao{A\E)f^ and HaoiA\E)f-^ are at least t — 1. 



5 



Proof: We have that 

^ dyimax($|£(p^^)|$) +dAmax($|p^®£(p^)|$) 
^ 2-* + dAniax($|p'^ ® 

(15) 

We now bound the second term using the original definition 
of the conditional min-entropy: 

minmin |A : AI^^ «) cr^ ^ | 

s$ mill {A : AI-^ ® p^ ^ ® p^} 

= mill {A : AI-^ ^ p-^} 

< minmin {A :AI-4®a^^p^^^} ^^^^ 



and therefore either 



r2 



> e/2 or 



> e/2, which is a violation of 



(t — 1, e/2)-indistinguishability. 



Theorem 2. {t, e)-entropic security implies {t — l,6e)- 
indistinguishability as long as t ^ n ~ 1. 

Proof: We will prove the contrapositive. Let £{I/dA) ~ 
fl^' and let p^^ be a state such that HaoiA\E)p > t - 1 and 



•P 



-■AE 



> 6e. Consider the following state 



3d, 



® p^ 



2"' 

Substituting this into the last line of (15) yields Hoo{A\E)fa ^ 
t—1. Of course, an identical calculation yields the same result 
for T^^. ■ 

To finish the proof of Theorem 1 , we want to show that A 
can distinguish £{tq^) from £{t^^) with probability strictly 
better than 1/2 + e/4. Let's denote by 77 the probability 
that A will correctly distinguish £{tq^) from £{t^^) in an 
rp , ri mixture, and by a the probability that A will correctly 
distinguish £{p'^)®T§ from £{p^)®Ti in an tq, ri mixture. 
Also assume without loss of generality that rj > a (otherwise 
consider an adversary identical to A but which returns the 
opposite answer). Now assume that we feed it £{t^^) with 
probability 1/2 and £{t^^) with probabiHty 1/2. Observe that 
this is exactly as if we gave it an ro,ri mixture of £{tq^) 
and £{ti^) with probability 1/2 and an ro,ri mixture of 
£(p^) ® and £{p'^) ® rf with probabiUty 1/2. We 
then have that the probability of distinguishing £{fQ^) from 
£{t^^) using A is 



1 

2 ' 



1, ,11, 



since the correct answer is reversed for £{p^) ® Tq and 

£{p^)®T^. 



We show that Hryo{A\E)p ^ t: 



d^max($|£(p^^)|$) 



^ id^max(<i>|f (p^^)|$) + \dA^^m (^^ ® f (P^)) |<i>) 



lo It i\ 2 1 
3 3 2" 

- 2"* H 

3 V 2" 

2 t 2-* 

- 2"* H 

^ 3 V 2 



Since 



A', 



> 6£, we know that there exists 



an adversary that can distinguish £{p^^) from il^' (E) p^ with 
probability at least ^ + |e. Let's call this adversary A, and 
let's assume that it gives the right answer with probability rji 
when it is given £{p^^) and with probability 772 when it is 
given il'^ (8 



We then have Um + m) > h + 



But by the assumption that A violates entropic security, we 
know that 

- a = Pr[A(f (r^^)) = ^]-Fv [A {£{p^) ® rf ) = 
> e/2. 

Hence, the probability of distinguishing £{f^-^) from £{f^^) 
is at least 1/2 + e/4, which implies that for all D,^ we have: 



<\\£{rr)~£ifn\\, 

£{f^'')-n 



A'^pE 



(£{rn- 



n"^ ®p^ 



£{f^^)~n''' <E>p 



A' , 



Now, consider the following interpretation of 'p 



AE. 



^AE 



1 AE 



1 „AE 

3 ^ 



1 „AE 

3 ^ 



where erf = p^^ and = ag'"" = JX P 

shall show that A violates entropic security for p"^^, with this 
interpretation and the function h{i) = i. 

First of all, it is clear that by having access only to Eve's sys- 
tem, no adversary can guess the value of h with a probability 
greater than 1/3. Let us now determine what A can do by 
having access to the encrypted version of p"*^. One possible 
strategy for A is to try to distinguish between £{p^^) and 
p^ and return 1 when it gets £{p^^) and randomly 



^AE 
'3 



(17) 



We 



n 



A', 



6 



return either 2 or 3 when it gets fl^ ® p^. We then have 



ivi + m) 



> 3(1 + 3e) 



Finally we get that for all adversaries A', 

Pv[A{£iaf''))^h{^)]-Pv[A'iaf)=hi^)] >e 

^ V 

_ j_ 

~ 3 

a violation of entropic security. 



A. A scheme based on 5-biased sets 

In [8], Ambainis and Smith introduced an approximate quan- 
tum encryption scheme based on (5-biased sets. Here, we shall 
show that if Hoo{A\E)p ^ t, then the Ambainis-Smith scheme 
is (t,e)-secure using n — t + 21ogn + 21og(i) bits of key, 
where n is the logarithm of as usual. 

Definition 5 ((5-biased set). A set S {0, 1}" is said to be 
5-biased if and only if for every s' € {0,1}", s' 7^ 0", we 



have that 



1 

\s\ 



< 5. 



There exist several efficient constructions of (5-biased sets ( 
[14]-[16]); following [3], we will use the one from [16], which 
yields sets of size v? jS^ (note that Dickinson and Nayak [17] 
improve this to ^ 16/(5^). 



V. Two ENCRYPTION SCHEMES 

Before presenting the ciphers, we will give some definitions 
and technical lemmas which will be used in the presentation 
of both encryption schemes. 

First, we define the following shortcut for any matrix a^^: 



We also define 



AE 



(18) 



The Ambainis-Smith scheme consists of applying an operator 
at random from the set 

{X°-Z^ : a\\h e S and \a\ = |6| = n) 

where 5 is a (5-biased set containing strings of length 2n. The 
shared private key is used to index one of the operators. In 
other words, the encryption operator is 



~AE pAE^-^ pL 



(19) 



for any state p"^^, where is a state such that p^^ ^ 

2-H^{A\E),iA ^^E^ 

Lemma 4. For every density matrix a^^, we have that ~ 

Proof: Let {-Ej} be an orthonormal basis for C{He)- 
Since Pauli matrices form an orthonormal basis for C{T-La), 
we have 



AE 



E 

uvj 

E 



dA 



E 

uv 

E 



dA 



(20) 
(21) 

(22) 
(23) 



We will also make use of the following lemma (Lemma 5.1.3 
in [5]): 

Lemma 5. Let S be a Hermitian operator and let a be any 

positive definite operator. Then 



We shall now prove that this scheme is secure in our frame- 
work. The following lemma contains most of the proof, and 
the main theorem follows: 

Lemma 6. For any state p^^ with Hoo{A-\E)p ^ t, we have 
that 



£iP^^)-^®p' 
dA 



s$ S^dA2-^ 



(24) 



Proof: Let be a state such that p^^ ^ 2^*1^ (g) a 
and write 

„AE\ ^ ^ „-E 



£iP^^)-^®p' 

dA 



< W (i^ Tr 



(25) 



This is due to Lemma 5, with a ~ 1 (E) cr^; without loss of 
generality, we can assume that p^ has full rank by considering 
He to be the support of p^ . We continue by applying Lemma 
4 on p^^: 



~AE 



and therefore 



£{p 



~AE\ 



II -5*111 A/Tr((7)Tr(S'(T-i/2 5'cr- 



1/2) 



UV \ V ^ 



(26) 

(27) 
(28) 
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where a^v = ^ Eal|fces(-1)'"""®°"'' and since Tr[p^^] = 
0, we can neglect the term v\\u ~ 0^", and hence \auv \ ^ 

We now compute the trace in (25) as follows: 



T = 4- ® ■ Hence, 



Tr 



Tr 



X'^Z'" 



® ML 



(a) 

= Tr 



_1 _1 



I ^ Oluv 

yv vu 1,1 



\ uv 

E 



ttA _i _i 



^ J2 Tr 



E 



dA 



,52 Tr 



' yv 1 1 



^=',52Tr 

= ,52Tr 

(/) 



1 1 \ r 



where 



Tr 



Tr 



Tr 



Tr 



Tr 



E 



dA 
dA 



A-r Cr^ 2 t B 2 



(30) 



Step (d) then follows when we combine this with the obser- 
vation that = p^, = if ^ 00, and M^^ = 0: 
the first sum is what we want to bound; the two sums in the 
middle evaluate to the zero matrix; and in the last sum, only 
the 00 term remains, which clearly has a positive trace. 



(29) Substituting the end result of (29) in (25), we obtain: 



dA 



^ SVd^- 



(31) 



The main theorem now easily follows: 

Theorem 3. If Hoo{A\E)p ^ t, then the Ambainis-Smith 
scheme is {t,e)-secure using n — t + 2 log 71 + 21og(-) + 2 
bits of key, where n = log dA- 

Proof If we choose 5 = e/2("^*)/2 ^nd construct S using 
the method of [16] such that |5| = {2n)'^/d'^, by Lemma 6 
we obtain 



21og(i) + 2 bits of key. 



^ e using n — t + 2 log n - 



(a) comes from the fact that (I ® '^)E{p'^^){l ® 

2 ) is Hermitian, hence taking its adjoint leaves it 
unchanged; 

(6) is true because terms in which the u, v pairs are not 
the same in both sums disappear when we take the trace; 

(c) because ^ 5"^ and every term in the sum has 

a nonnegative trace since Tr[A/,^^ cr^ ^ M^Ja^ 2] = 

Tr[(a- 3 Mta- 3 ) (fj- 3 Mt<J- 4 )t]. 

(d) is justified below; 

(e) is due to Lemma 4; and 

(/) comes from the fact that p"^^ < 2^*1 ® => (l<Si 



B. A scheme based on XOR-universal functions 

Our second scheme based on XOR-universal functions can be 
considered as a quantum version of the scheme given in [3]. 
This scheme can also be viewed as a generalization of the 
second scheme of [8]. 

Definition 6. Let H,i — {/lijig/ be a finite family of functions 
from n-bit strings to n-bit strings. We say the family H„ is 
strongly-XOR-universal if for all n-bit strings a, x, and y such 
that X ^ y we have 

¥r,[h,{x)®h,{y) = a] = 

where i is distributed uniformly over /. The family proposed 
in [3] naturally possesses this property if one allows i to be 



To justify (d), we first observe that M^^ = Af^,„ + Af^,„, where zero. 
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We define our second cipher as follows. Let be a stxongly- 
XOR-universal family of functions. The encryption operator 
for the key k is defined as 

Skip) ^T7\Y1 ® (^"^' ® ® I^) 

(32) 

where a\\b = hi{k), \a\ = \b\ = n, hi G H2n and k is the secret 
key selected uniformly at random from a set K C {0, 1}^". 
The overall cipher can be described by the superoperator 

' " ' iei.keK 

(33) 

The structure of K is irrelevant; only its cardinality matters 
for the security of the scheme. Not that this scheme is not 
length preserving since the ancillary system A' is part of the 
ciphertext. We now prove that this scheme is secure with the 
following theorem; 

Theorem 4. £ is {t, e)- indistinguishable if log \K\ ^ n~t + 

21og(l/e). 



Proof: To show that the cipher is (t, e)-indistinguishable, 
we must show that for all states p"^^ such that Hoo{A\E)p > 
t. 



£{p^^) 



■C e. 



(34) 



As in the proof of our other scheme, we use Lemma 5 with 

cr = I^-^' (g) to bound this: 



Tr 



(a) 



Tr 



Y auvki\i){i\ ® -^=- ® MP,, 



\uvki 

vu yv 2. _ \. 

\uvhi > 

Y,auvH\i){i\<E}-^(E)Mt\ 

uvki / 



auvki\i){i\ 



\uvki 



(c) 1 



\I\\K\ 



uvkk'i 

Tr 



dA 



_ _1 + _1 



id) 2-* 



I/IIA1 



(38) 



where 



(a) comes from the fact that (I (g) ^)S{p^^){I (g 

(7^ 2 ) is Hermitian, hence taking its adjoint leaves it 
unchanged; 

(5) is true because terms in which the u,v,i triples are 
not the same in both sums disappear when we take the 
trace. Taking the partial trace on the subsystem containing 
then yields this. 

(c) is justified below 

(d) follows exactly the same argument as in equation 
block (29) from line (d) onwards. 



Sip^ 



jAA' 



< \ \I\dATy 



(35) 



To compute the trace in the above expression, we first express 
8{p^^) using Lemma 4: 



' vu yv ' 



(36) 



auvk^\i){i\ ® (8) (37) 

uvki 



where a,,fc, = p^(-l)-ll-0a||fc where a\\b = h,{k). 
We are now ready to evaluate the trace in (35): 



Tr 



We now justify step (c). We first consider the terms of the 
sum in which k ^ k' . In the following, let a\\b = hi{k) and 
c\\d = hi{k'). If fc 7^ k', we have 



^ ^ ^uvki^uvk' i 
iel 



( 1 \ v\\uQa\\b / Yu||M0c||d 

E l / ^\{v\\uQa\\b)®(v\\u0c\\d) 



\ ^ ^ I 1 ^l>||«0(a 



\\b®c\\d) 



However, by Definition 6, a||6© c||d is uniformly distributed 
over all 2n-bit strings when % is chosen uniformly at random. 
This sum is therefore equal to zero whenever ^ 0^", 



and to 



when vMv = . However, we observe that 



00 



0, and hence those terms also disappear from the sum 



inside the trace. 



To take care of the case where k = k' , it can easily be shown 
that Q;2^j,j = ■ Summing over all i and k, step (c) 



follows. 
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Now, by hypothesis, we have log|iir| ^ n — t + 21og(l/e), 
which can be transformed into — log|/<| — t ^ log(e^) — 
logd^. Exponentiating both sides yields ^ jj. Combin- 
ing this bound with (38) and substituting in (35) concludes 
the proof. 



VI. Minimum requirement for the key length 



We can generalize the proof for the lower bound on the key 
length found in [3] to the quantum world and the conditional 
min-entropy definition. 

Theorem 5. Any quantum encryption scheme which is (t, e)- 
indistinguishable for inputs ofn qubits requires a key of length 
at least n — t — \ as long as e ^ 1/2. 

Proof: We prove this by constructing a state with condi- 
tional min-entropy t which provably requires at least n — t — 1 
bits of key to be securely encrypted. Consider the state 



^AAE 



p— = ® y where = Y.^=l 

is a maximally entangled state; Alice wants to send both A 
and A to Bob securely. Furthermore, let dA = ds = 2^"^'^/^ 
and d^ = 2'^"+*'/^, hence = 2". It is easy to compute 
the conditional min-entropy of this state: 



Proof: 

r,-H^{E\AK) 



mm mm 

„AE 



s$ minmin i X : Xl^ ® ^ ^ uj^^^ 



K\ 

^\K\ minmin {A : AI^^ ® ^ lo^^^] 
<i li^l minmin {A : AI^ ® ct^ ^ w^^} 
^ |X|2-^~(^I^) 
where the second inequality holds due to the fact that 

uj^"" ^ AI^ ® 

The last implication is true since the classicality of K ensures 
that w 



AEK <- ^AE ^ fif 



V 



n.AE 



Proof of Theorem 6: Let Ti.^ = He, and let p 
!$+)($+ 1^^. Then, by the Fuchs -van de Graaf inequaUties 
[18] we have that 

2 

(41) 



Now, let C^^^ be a state such that Ttk[C^^^] = £{p) and 
in which the K register holds the key: 



Hoo{AA\E)p — i/oo(^|£')|$+)(<I.+ | + Hao{A)^A 

= -{n-t)/2 + {n + t)l2 
= t. 

Now, it is clear that this state requires at least as much key 
to encrypt as |$+)($+|'^^ alone, since one could securely 
encrypt |$+)($+|"^^ using a protocol to encrypt p^^^ by 
adding (n + 1)/2 random qubits to the input state. However, 
as the following theorem proves, |<I>+) (cE>+ [-^^ requires at least 
[n — t) — 1 bits of key to encrypt. ■ 

Theorem 6. Let £^^^ be a cipher such that for all states 
p^^, there exists some state £7"* such that 



(40) 



then Z requires at least 21og((i^) — 1 bits of key, or 2n ^ 1 
bits of key for an n-qubit system, whenever e ^ 1/2. 

Before proving this, we first need a technical lemma which 
says that by conditioning on a classical system, we cannot 
reduce the min-entropy by more than the dimension of the 
system: 

Lemma 7. Given a state uj^^^ = J2kPk^k^ > '^'^^'^ 
that Hoo{E\AK)^ ^ Hoo{E\A)^ - log|if|. 



Then, by Uhlmann's theorem ( [19], or see Theorem 9.4 in 
[10]), 

F(8{pin®^\= max F {C^^^a^^^f 

Now, let a^^^ be a state such that Tr^icr^^^] that 
maximizes the above fidelity. Also, let ^jj^ekk' ^ y^AEKy'i 

and £^AEKK' ^ y^AEKy^^ ^j^^j.^ yK^KK' ^ \kk) {k\, 

Hk — T~Lk' and {\k)}keK is the computational basis on Hk- 
Note that this ensures that uj^^^ is classical on K. We then 
have: 

fUpI^®^]' ^F{C^^^,a^^^f 



_ p I ^AEKK' ^AEKK' 



f(<1>^^,^(w^^^) 



^ max 

gAK^A 

2-H^(E\AK)^ 
^ 2" 

where j)^^^^ is a superoperator which decrypts and then 
forgets the key. Now, by Lemma 7 above, we have that for 

^See also Equation 9.110 in Nielsen and Chuang 
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any state uj^^^'^ such that T'CkI'^ j — 
classical on K, HooiE\AK)^ ^ n — log \K\. Hence, 



,AEK^ 



8) 4^ that is 



2-n+log|K| 



\K\-2- 



-2n 



(42) 

(43) 
(44) 



and therefore \K\ ^ 22"(l-e). Hence, log \K\ ^ 2n+log(l- 
e) ^ 2n — 1 if, as assumed, e ^ 5- ■ 

The tighter bound of [3] for schemes using public coins, given 
there as proposition 3.8, cannot be similarly generalized. 



VII. Conclusion 

We have shown how to fully generalize the notions of entropic 
security and entropic indistinguishability without making any 
assumption on the entanglement between the sender and the 
adversary. Furthermore, we proved that the two approximate 
quantum encryption scheme presented in [8] are also secure in 
this model. Is it possible to prove a general theorem showing 
that every quantum encryption scheme is entropically secure? 
If it is true, it would require different techniques than the ones 
used here, since our proofs rely on the fact that the ciphers 
give guarantees in the 2-norm, and not only in the 1-norm as 
in the definition of an approximate cipher. We leave this as an 
open problem. 
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